minishift: file permission issue in application container

oc login -u system:admin -n default issuing this log-in as admin prior command sorts out all the issues and as follows I could issue administrative command oc adm policy add-scc-to-user anyuid -z default -n projectname successfully, without the error message ... securitycontextconstraints.security.openshift.io at the cluster scope: User "developer"

Same issue here. I installed and enabled the anyuid plugin, and restarted my minishift cluster, but it still does not seem to be running my deploys with root.

minishift addons install --defaults Minishift addons enable anyuid

When I run this command as either developer or system: oc adm policy add-scc-to-group anyuid system:authenticated

I get Error from server (Forbidden): User “developer” cannot get securitycontextconstraints.security.openshift.io at the cluster scope: User “developer” cannot get securitycontextconstraints.security.openshift.io at the cluster scope (get securitycontextconstraints.security.openshift.io anyuid

I also tried: oc adm policy add-scc-to-user anyuid -z default

Please take a look at the anyuid addon https://github.com/minishift/minishift-addons/addon/anyuid/

HTH

On Feb 21, 2018 8:41 PM, “Matej Habrnal” notifications@github.com wrote:

General information

• Minishift version: minishift-1.12.0-linux-amd64
  • openshift v3.6.1+008f2d5
  • kubernetes v1.6.1+5115d708d7
• OS: Linux
• Hypervisor: KVM and VirtualBox

I’ve prepared docker image [1] with suided application which just takes an argument and writes it into /proc/1/fd/2.

[1] https://hub.docker.com/r/mhabrnal/logger-test/

Dockerfile looks like this:

FROM fedora:27 MAINTAINER “Matej Habrnal” mhabrnal@redhat.com

COPY suid-logger /usr/libexec/suid-logger RUN chown root:root /usr/libexec/suid-logger RUN chmod 4755 /usr/libexec/suid-logger

CMD while :; do sleep 1000; done

Steps to reproduce

$ oc new-app mhabrnal/logger-test $ oc rsh <POD> sh-4.4$ ls -al /usr/libexec/suid-logger -rwsr-xr-x 1 root root 816112 Feb 21 13:03 /usr/libexec/suid-logger sh-4.4$ ls -al /proc/1/fd/2 l-wx------ 1 1000070000 root 64 Feb 21 13:55 /proc/1/fd/2 -> pipe:[74878] sh-4.4$ /usr/libexec/suid-logger test UID=1000070000 EUID=0 Failed to open ‘/proc/1/fd/2’: Permission denied

Expected

write to ‘/proc/1/fd/2’ Actual

Failed to open ‘/proc/1/fd/2’: Permission denied

If the application is not suided everything works.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/minishift/minishift/issues/2058, or mute the thread https://github.com/notifications/unsubscribe-auth/AIeV7t5FBMCw67v3aSS5PNh_wHOYtNq1ks5tXDIWgaJpZM4SNzBe .

The image can be run as unprivileged user - that is ok. We do not want to run the application as root or some specific user. So anyuid addon will not help here.

Inside of the image, there is setuid binary (similar to /usr/bin/sudo). When you execute setuid binary owned by root, you should get EUID=0. That works as expected.

So we have binary with EUID=0. But when this binary tries to write to file which is owned by 1000070000:root then it gets “permission denied”. This is IMO bug because process with EUID should be able to write to such file.